Don't Blame China For Security Hacks, Blame Yourself

Focus on the sorry state of your information security defenses before worrying about the Chinese, Russians, hacktivists or cybercrime gangs.

Who Is Hacking U.S. Banks? 8 Facts

(click image for larger view and for slideshow)

The Chinese are coming! The Chinese are coming!

Thanks to headlines splashed over every major newspaper in recent weeks, you'd be hard-pressed to miss the news that digital forensic investigation firm Mandiant has blamed People's Liberation Army (PLA) Unit 61398, a Chinese military cyber operations group, for launching advanced persistent threat (APT) attacks against over 140 businesses and government organizations since 2006.

Clearly, the panic button has been pushed. But as happens too often with outbreaks of sudden or uncontrolled anxiety, it misses the point: Don't worry about China. Worry instead if the pitiful state of your information security defenses will allow any attacker to wield nothing more than malicious email attachments to steal valuable intellectual property or even state secrets.

"The Chinese are like the Kardashians," says John Pescatore, a former Gartner analyst who last month joined the SANS Institute as director of emerging security trends, speaking by phone. "There are thousands of attacks and many are just as clever, using the same techniques -- before we saw them in Chinese attacks. But you mention China in an attack, and every radio or news station picks it up."

The folly of the Chinese blame game has been quickly seized upon by information security experts. "If you know that the People's Liberation Army is spying on you, do you change your defenses? How? Do you look for Chinese language intrusion prevention tools?" said Alan Paller, director of research for SANS, in a recent newsletter.

"The continuous China bashing simply reflects the inability of watchers to see evidence of the stealthier attacks coming from many nations that may take a different approach to penetrating our telecommunications and banking and power systems and stealing our national wealth," he said. "The number of bad actors, spread among nations, terrorists, anarchists and criminals, is so great that their identity is not as important as what we do to defend our systems -- because they usually exploit the same weaknesses."

No doubt some of the China-bashing stems from outrage over the perception that business ideas are being stolen from American entrepreneurs who spent their own time and money to develop them. "China, France, and several other countries have been known -- for dozens of years -- to do government-sponsored industrial espionage," says Pescatore. "The U.S. tends to not do that. We do intelligence collection as a country. We may or may not have been part of Stuxnet, where cyber is used in the name of national defense. But the U.S. has never been one to say, 'Let's go help U.S. industry by helping to spy on Huawei,' for example."

The crux of the matter, however, is that without robust information security practices, your network can be owned by anyone from a hacktivist group or angry ex-employees to online criminal gangs and foreign intelligence services. The point isn't who owned you, but rather that despite the prevalence of known -- and cost-effective -- defenses against these types of attacks, you failed to protect your business.

Take last week's news that Apple, Facebook, Microsoft and Twitter were all compromised by attackers who gained access to a third-party iOS development website, then used it to infect visitors' Mac OS X systems via drive-by malware attacks against a zero-day vulnerability in Java. Twitter's systems were compromised, and 250,000 user accounts exposed. Facebook, meanwhile, said it saw suspicious activity on its network, which it traced back to developers' Mac OS X systems, which led to a security lockdown. Apple and Facebook haven't said what attackers did or didn't access, except to say that it doesn't seem to have included user data. Still, score "one" for their information security defenses.

Who attacked the tech giants? From a defensive standpoint, it doesn't matter. The point is that the businesses managed to defend themselves relatively well. Now it's up to other businesses to follow their example.

Hacking is far too easy -- more than 90% of targeted attacks succeeded using only the most basic of exploits. Then again, only 3% of breaches would have required expensive or complicated defenses to stop. Those statistics come from a recently released report, "Raising the Bar for Cybersecurity," written by White House cyber security advisor Jim Lewis, of the Center for Strategic and International Studies (CSIS).

To create better information security defenses, Lewis says businesses should look to Australia's Defense Signals Directorate (DSD), which together with the National Security Agency compiled a list of 35 techniques which block over 85% of all known attacks.

"Agencies and companies implementing these measures saw risk fall by 85% and, in some cases, to zero," says Lewis.

SANS has launched a related effort -- helmed by former NSA official Tony Sager and Pescatore -- to drive businesses to adopt these countermeasures. "What we as a community must do is identify the barriers that stop broad based adoption of these defenses and lower them," says Paller, who's called on information security experts to email SANS ("cca@sans.org") with the top barriers they're currently facing.

For the rest of us, let's judge businesses' information security efforts based not who might be attacking them, but how well they defend themselves. "If you close the vulnerability, you keep out the Chinese APT attacker, Russian organized crime, Anonymous group and the pissed-off teenager," says Pescatore. "Because there are a whole lot more cyber criminals than there are countries of China."

For all of the perimeter protection activities everyone is working so hard on - the sad fact is that security still is like a Smartie - hard on the outside, soft and mushy on the inside.

There has been more focus of late on internal security work - but we're finding there is a long way to go. Its not just about having 2FA or more crypto on VPN tunnels - its about building more context for the persona of the identity - knowing more and more about it to enable better decisioning via automated systems.

For example, if you have layers 1-3 managed via 'Identity Aware' systems, and upper layers (OS/apps) also understanding Identity, they can make better decisions about whether to allow this login from an internal service account that was just reset 14 seconds ago in another data center, that hasn't been reset in 5 years and is an un-owned ID.

We are working hard on delivering that vision - where all systems involved in the operation have more information about context and persona - since we all believe in Security in Depth, in my opinion the 'depth' comes from having more understanding of the context and stance of that permission/access/group, etc. Its not just jamming attributes to a user - its about bringing it all together to support a cohesive and heterogeneous infrastructure.

While I don't disagree that organizations need to pay more attention to their own information security requirements .... diverting blame from the Chinese (or whoever) for their *actions* is tantamount to not prosecuting a home invader because I didn't have a crash bar installed on my front door.

We certainly need to engage in preemptive protections because there are "bad guys" in the world, but the "bad guys" need to be held accountable for their actions ... always!

As an IT professonal, I am worried that my peers may not be protecting their assets properly, may not be adequately documenting their work, and may be opening themselves up for theft or data loss. I'm also aware that there are individuals and groups who engage in criminal behavior online, just as there are pickpockets, muggers, and murderers in real cities. To some extent, I worry about my own physical and digital security. Your comment abou the roles of NOCs is pertinent. However, I choose to think that nation-states, which are signatories to treaties including the UN charter and are subject to declarations of war, should be held to a different standard than random individual criminals. I am not happy that {insert country names here} are engaging in active,offensive cyber attacks on companies. If a group of Chinese army soldiers entered the NY Times facilities, broke equipment, and stole confidential documents, this would constitute a real and substantial breach of international relations. Why should I take a different view if the incursion, damage and theft occured digitally? Because the law and rules have not caught up with technology?

While I think it's a little tough to blame the victim for the crime, I get the point you're making. If you don't lock the door, you might expect theives.

Truth is, most data breaches aren't a result of hacking and malicious activity - they're a result of us all making dumb mistakes. Forrester estimates over 60% of breaches are a result of accidents - sending files to the wrong distribution list, synching a file on unsecure cloud services, or leaving that thumb drive on the train. For an interesting perspective see http://blogs.computerworld.com...

Don't be worried that the Chinese Army is actively engaging in cyber espionage. Worry that the rest of the world is doing the same without a whole lot of commotion being made over their attempts.

And consider that anyone with a computer can either be actively or passively (as part of a botnet) engaging in cyber espionage. Now, you too can truly be an "army of one" and attack any civilian or military target you want from the comfort and safety of your own home. Just as any other person connected to the Internet can do the same.

Worry that the folks operating the NOCs for the ISPs and other providers aren't recognizing and stopping these acts while they're in the core, before they get to the endpoint or the destination. Worry that enterprises exist where only one person has control of all of the security related information, and it's all in their head.

Stopping "piracy" on the "high nets"... that's a good one. Remove the need to accumulate wealth from human nature and I think you'll have a good start. Best way to do that would be to make sure that all basic human needs are met for each human on the face of the planet... but that gets in an entirely different discussion.

From an IT security point-of-view, I can agree that private companies are responsible for implementing common sense fixes. From a citizen's point of view, I am very worried that the army of the country with the world's second largest economy is actively engaging in cyber espionage. The fact that other nation-states do this also is not comforting, either. This is real money we're talking about here. We sent gunboats to stop Somali pirates who were stealing real money. What are the alternatives for convincing nation-states to stop piracy on the "high nets"?

On one hand it's encouraging that some relatively simple steps can be taken to reduce security risks. On the other hand, it's frustrating that many of these steps have been available to us for years and years and years, and yet the security community still has to repeat this message over and over.

War, whether cyber or physical, is big business. Sold the pentagon all the stealth bombers it needs? Gin up outrage against China to sell the latest infosec defensive mechanism. Sadly, there's not much profit in common sense (read: whitelisting and limiting admin access). Lorna Garey, IW Reports.

Published: 2015-03-31The build_index_from_tree function in index.py in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a commit with a directory path starting with .git/, which is not properly handled when checking out a working tree.